Bug#665324: ogre: CPPFLAGS hardening flags missing

Simon Ruderich simon at ruderich.org
Fri Mar 23 02:04:40 UTC 2012 

Package: ogre
Version: 1.7.4-4
Severity: important
Tags: patch

Dear Maintainer,

The CPPFLAGS hardening flags are missing because CMake ignores
them by default.

The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].

diff -Nru ogre-1.7.4/debian/rules ogre-1.7.4/debian/rules
--- ogre-1.7.4/debian/rules	2012-03-18 23:05:42.000000000 +0100
+++ ogre-1.7.4/debian/rules	2012-03-23 02:32:06.000000000 +0100
@@ -9,8 +9,12 @@
 #
 #export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow
 export DEB_BUILD_MAINT_OPTIONS := hardening=+bindnow
-export DEB_CFLAGS_MAINT_APPEND := -pipe -Wall
-export DEB_CXXFLAGS_MAINT_APPEND := -pipe -Wall
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags. dpkg_buildflags is necessary because $(shell ..)
+# doesn't use local environment variables.
+dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS=$(DEB_BUILD_MAINT_OPTIONS) dpkg-buildflags
+export DEB_CFLAGS_MAINT_APPEND   := -pipe -Wall $(shell $(dpkg_buildflags) --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND := -pipe -Wall $(shell $(dpkg_buildflags) --get CPPFLAGS)
 export DEB_LDFLAGS_MAINT_APPEND := -Wl,-z,defs -Wl,--as-needed
 

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/OgreXMLConverter /usr/bin/OgreMeshUpgrader /usr/bin/SampleBrowser ...
    /usr/bin/OgreXMLConverter:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/OgreMeshUpgrader:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: no, only unprotected functions found!
     Read-only relocations: yes
     Immediate binding: yes
    /usr/bin/SampleBrowser:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: yes
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120323/f7ebd0e5/attachment.pgp>

More information about the Pkg-games-devel mailing list